oracle-base - linux samba configuration

7/25/2019 ORACLE-BASE - Linux Samba Configuration

1/4

Home Articles Scripts Forums Blog Certification Misc Search

About Printer Friendly

Tweet 0 1

Oracle 8i | Oracle 9i | Oracle 10g | Oracle 11g | Oracle 12c | Miscellaneous | PL/SQL | SQL | Oracle RAC | Oracle Apps |

Linux

Home Articles Linux Here

Linux Samba Configuration

This article provides an introduction to Samba configuration on

Linux, with specific reference to the information needed for the

RHCE EX300 certification exam.

Remember, the exams are hands-on, so it doesn't matter

which method you use to achieve the result, so long as the end

product is correct.

Installation

Firewall

SELinux

Create Network Shares

Create Network Shares for Group Collaboration

Security

Mapping User Names

Mounting Samba Shares

Related articles.

Linux File Systems (mkfs, mount, fstab)

Linux NFS Configuration

Installation

The Samba service is installed from a Yum repository using the following command.

# yum install samba

Turn on the Samba server and make sure it starts automatically on reboot.

# service smb start# chkconfig smb on

Samba is configured by altering the contents of the "/etc/samba/smb.conf" and "/etc/samba/smbusers" files.

Configuration changes have to be followed by a reload or a restart of the smb service.

# service smb restart# # or# service smb reload# /etc/init.d/smb reload

Firewall

If you are using the Linux firewall, you need to open ports 139 and 445 specifically. The Samba documentation suggestopening 3 additional ports also. Assuming you are using a firewall setup file, as described here, you can include the

following additions to the INPUT chain.

Like 0

Translate

//www.oracle-base.com/articles/linux/linux-samba-configuration.php 1


2/4

# Open ports for SAMBA.iptables -A INPUT -p tcp --dport 135 -j ACCEPTiptables -A INPUT -p tcp --dport 137 -j ACCEPTiptables -A INPUT -p tcp --dport 138 -j ACCEPTiptables -A INPUT -p tcp --dport 139 -j ACCEPTiptables -A INPUT -p tcp --dport 445 -j ACCEPT

SELinux

If you are using SELinux, you will need to consider the following points.

The SELinux booleans associated with the Samba service are displayed using the getseboolcommand.

# getsebool -a | grep sambasamba_create_home_dirs --> offsamba_domain_controller --> offsamba_enable_home_dirs --> offsamba_export_all_ro --> offsamba_export_all_rw --> offsamba_run_unconfined --> offsamba_share_fusefs --> offsamba_share_nfs --> offsanlock_use_samba --> offuse_samba_home_dirs --> offvirt_use_samba --> off#

The setseboolcommand is used to set a specific boolean value.

# setsebool use_samba_home_dirs on# setsebool use_samba_home_dirs off

The samba_share_tcontext should be assigned to all content.

# semanage fcontext -a -t samba_share_t "/u01(/.*)?"# restorecon -F -R -v /u01

You can check the current context setting on files and directories using the "ls -alZ" command.

More information on SELinux can be found here.

Create Network Shares

Shares are created by editing the "/etc/samba/smb.conf" file. In RHEL5 and Fedora distributions you can use a GUI tool

called system-config-samba, but this has been removed from RHEL6.

The "/etc/samba/smb.conf" file contains an example share definition towards the bottom of the file. The ";" characters

are comments.

# A publicly accessible directory, but read only, except for people in# the "staff" group; [public]; comment = Public Stuff; path = /home/samba; public = yes; writable = yes; printable = no; write list = +staff

More detailed information is available using the "man smb.conf" or "info smb.conf" commands. The following

example defines a share accessible to a user called "john_doe" and members of the "developers" group.

[u01]



3/4

valid users = john_doe @developers write list = john_doe @developers path = /u01 writeable = yes create mask = 0775

Remember to reload the configuration, or restart the smb service for the changes to take effect.

The next section shows a worked example, so this should make things a little clearer.

Create Network Shares for Group Collaboration

This section describes the steps necessary to create Samba shares suitable for group collaboration.

Create a group that will act as the owner of the shared files.

# groupadd developers

Create some users that are assigned to the "developers" group.

# useradd dev1 -G developers

# passwd dev1 # password set to dev1

# id dev1uid=501(dev1) gid=504(dev1) groups=504(dev1),506(developers)#

# useradd dev2 -G developers# passwd dev2 # password set to dev2

# id dev2uid=502(dev2) gid=505(dev2) groups=505(dev2),506(developers)#

Set the Samba password for the users.

# smbpasswd -a dev1New SMB password:Retype new SMB password:Added user dev1.#

# smbpasswd -a dev2New SMB password:Retype new SMB password:Added user dev2.#

Create a directory to own the shared files, making sure its group is set correctly. The permissions are set to "g+rwx"

(0770), since the group is the defining factor in accessing data in this directory.

# mkdir /developers_dir# chgrp developers /developers_dir# chmod g+s /developers_dir# chmod -R 770 /developers_dir

Add the following share into the "/etc/samba/smb.conf" file. Notice the 0770 permissions again, so users don't

accidentally create files that can't be amended by other members of the group.

[devshare]browseable=yespath = /developers_dir

force group = +developersvalid users = @developerswrite list = @developerscreate mask = 0770



4/4

force create mode = 660

Reload the Samba configuration.

# service smb reloadReloading smb.conf file: [ OK ]#

From another machine, mount the share as the "dev1" user and create a file.

# mkdir -p /u01/dev1# mount -t cifs -o rw,username=dev1,password=dev1 //192.168.0.190/devshare /u01/dev1# echo "apples" >> /u01/dev1/test.txt

From another machine, mount the share as the "dev2" user and edit the file created previously.

# mkdir -p /u01/dev2# mount -t cifs -o rw,username=dev2,password=dev2 //192.168.0.190/devshare /u01/dev2# echo "oranges" >> /u01/dev2/test.txt# cat /u01/dev2/test.txt

applesoranges#

Security

The basic user security model for Samba is quite simple. As shown previously, existing Linux users can be made into

Samba users by issuing the "smbpasswd -a" command. This allows shares to be made user-specific by adding the

users into the "valid users" and "write list" entries of the "/etc/samba/smb.conf" file.

In a similar manner, permissions can be at the group-level by specifying the group with a preceeding "@" symbol.

Host-level security can be controlled using the Linux Firewall, or by addition of the "hosts allow" or "hosts deny"

parameters to the share definitions on the "/etc/samba/smb.conf" file. If these settings are placed in the "[global]"

section of the file, they affect all share defintions.

Mapping User Names

The "/etc/samba/smbusers" file is used to map Samba user names to Linux user names, allowing for different naming

standards between machines running different operating systems. The default settings in the file map the common

Windows users of "admin" and "administrator" to the Linux "root" user.

# Unix_name = SMB_name1 SMB_name2 ...root = administrator adminnobody = guest pcguest smbguest

Mounting Samba Shares

The following links point to articles on this site about mounting Samba shares:

mount and unmount

/etc/fstab

Credentials File

For more information see:

Samba Documentation

RHEL6 Managing Confined Services : Samba

Linux man pages

RHCSA and RHCE

Linux File Systems (mkfs, mount, fstab)

Linux NFS Configuration

Hope this helps. Regards Tim...

// l b / ti l /li /li b fi ti h 4

oracle-base - linux samba configuration

Documents